Page Two

Executives at Port80 and SecuritySpace said they crawled the sites asking for server header information, which reports the type of server operating system powering the domain. Both companies acknowledged that their information could be skewed if site administrators programmed the software to report an OS other than their own for security, privacy or other reasons.
In addition, each survey simply polled the main server powering the site; other servers within the domain could run other operating systems that were not reported in the survey, they said.

"Weve seen some anomalies, such as sites reporting IIS 6 well before it was even released, so we know theyre playing some games," Reinke said. SecuritySpace could do some other, more intrusive checks to discover the true identity of the OS, "but were a security company," he said. "We dont want to go setting off alarm bells."

Port80s software is such that, now deployed across its servers, the survey could be rerun in a matter of hours, Neppes said. He said the company has not decided whether to rerun the survey at a future time.
SecuritySpaces Reinke said his company hasnt tried to produce its own top 1,000 list. Instead, he said an equivalent metric would be to look at the sites that use Secure Sockets Layer protocols for electronic commerce. There, the race is much more competitive, he said; Apache still holds the top spot in market share, with 48.4 percent of the 162,210 servers the company polled. But Microsofts IIS powered 42.3 percent, the company found.